Ensure apparmor is installed (Ubuntu)

[rtsp]

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespaces from that line:

/kind api-change
/kind bug
/kind cleanup
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it:

Exactly same as #8011 but for Ubuntu (#7965 (comment))

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

I don't have Ubuntu to test this PR but it should work fine for both 18.04 (apparmor 2.12) and 20.04 (apparmor 2.13).

Does this PR introduce a user-facing change?:

Ensure apparmor is installed on Ubuntu

[k8s-ci-robot]

Hi @rtsp. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[oomichi]

When I saw another pull request for Debian, I guessed apparmor can be optional on Debian and it is fine to check the installation.
For Ubuntu, apparmor is always installed on my machines.
Is there any installation option without apparmor on Ubuntu?

[fungusakafungus]

When I saw another pull request for Debian, I guessed apparmor can be optional on Debian and it is fine to check the installation. For Ubuntu, apparmor is always installed on my machines. Is there any installation option without apparmor on Ubuntu?

What do you mean with "an option"? Package docker-ce recommends apparmor on ubuntu, packages containerd.io or kubelet don't mention it, it has Task: standard, ubuntu-core, some packages depend on it, but other that that, it is optional, we ran kubernetes perfectly well without apparmor package until version 1.21.

[rtsp]

When I saw another pull request for Debian, I guessed apparmor can be optional on Debian and it is fine to check the installation. For Ubuntu, apparmor is always installed on my machines. Is there any installation option without apparmor on Ubuntu?

apparmor is not actually required for Debian/Ubuntu. It's just preinstalled on normal CD or Cloud VM images.

There're some edge cases that apparmor may be missing from Debian (and also Ubuntu) such as

• Using minimal VM image from some local cloud provider
  • This is the reason why I tried to fix Fix containerd failed to start if apparmor is not installed #8011
• Building your own VM image with debootstrap (base system only)
• Previously removed by user

So, If the apparmor is required by kubespray because both docker and containerd need it. I think it's no downside for explicitly specify it in required_pkgs var to ensure its existance.

[oomichi]

When I saw another pull request for Debian, I guessed apparmor can be optional on Debian and it is fine to check the installation. For Ubuntu, apparmor is always installed on my machines. Is there any installation option without apparmor on Ubuntu?

apparmor is not actually required for Debian/Ubuntu. It's just preinstalled on normal CD or Cloud VM images.

There're some edge cases that apparmor may be missing from Debian (and also Ubuntu) such as

* Using minimal VM image from some local cloud provider
  
  * This is the reason why I tried to fix [Fix containerd failed to start if apparmor is not installed #8011](https://github.com/kubernetes-sigs/kubespray/pull/8011)

* Building your own VM image with `debootstrap` (base system only)

* Previously removed by user

So, If the apparmor is required by kubespray because both docker and containerd need it. I think it's no downside for explicitly specify it in required_pkgs var to ensure its existance.

I see.
Thanks for your explanation.
It is fine to add apparmor for such corner cases.

/ok-to-test
/lgtm

[floryut]

Thanks @rtsp

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: floryut, rtsp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [floryut]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment